"Pre-loss mitigation services offered by carriers have just become table stakes," she said. "Everyone wants their clients' risks to be improved."
And that translates to better security, she said, as companies become more aware of their vulnerabilities and take steps to close the gaps, train their employees, and reduce response times.
But there's a limit to how much insurance companies can actually do when it comes to measuring risk, she said.
Cyber insurance lacks hard actuarial data, technical experts
According to Soubra, the insurance industry is still 30 to 50 years away from having a standardized cybersecurity data set, with relevant actuarial data, that it can pull insights from.
"The threat vectors are constantly evolving," she said. "There are new ways to get into the system, new types of ransomware are constantly being created. This, in turn, has the coverage that we're offering constantly evolving. So we're collecting new types of data that we weren't collecting in the past."
It doesn't help that it's difficult for insurance companies to share data, she said.
For example, insurance companies are often bound by non-disclosure agreements, and there's no central body that collects cyber information -- like, for the example, the Federal Aviation Administration does for airplane accidents and the National Highway Traffic Safety Administration does for driving.
"We need a way to standardize the data, share it, and repackage it in a way that would be useful," she said.
Instead, what happens is that insurance companies mostly sell coverage for loss of personally identifiable information and to cover the costs of business interruption due to cyber attacks, said Adam Thomas, principal at Deloitte Cyber Risk Services.
The way it works is that companies looking to buy insurance fill out a questionnaire, then their insurance broker sets them up on a conference call with half a dozen carriers.
"It's a high-level assessment -- there's not a lot of substantiation going on," he said.
And on the call itself, the carriers tend not to ask probing questions -- they don't want to give away their trade secrets to their competition, and they don't want the client to think they're hard to do business with.
"So that's about as much due diligence as insurance companies do," he said. "And more recently, some of those calls have gone away because it was too much pressure on the customer."
The cyber insurance industry doesn't have anywhere near the kind of deep expertise as, say, property and causality, life insurance, or automotive.
"You'd think they'd take their actuarial knowledge, analytical knowledge and amass a ton of information about the claims they paid out, what the underlying causes were, so they can improve their policies," he said. "And the reality is, they haven't."
Sign up for CIO Asia eNewsletters.